Penetration testing is a lot like stealing jewelry. There are two basic options, either plan the heist carefully, cut the alarm, pick the lock, and blackout the security cameras or kick in the front door, bust open the jewelry cases, stuff your bags, and get out before the cops show up. Of course the best option is to take the time to plan the heist because if it’s done correctly no one gets arrested and a lot of money is made. Sometimes though, the smash and grab is the only option available.
To perform a carefully planned penetration test, study the Penetration Testing Execution Standard (PTES) at pentest-standard.org. This is how every penetration test should be done but unfortunately, the sales guys and management haven’t read the PTES and therefore don’t allocate enough time or money to do a proper pentest. This is when the smash and grab becomes necessary.
Kick In the Front Door
Use the social engineer toolkit (SET) to get meterpreter or shell access to an internal box, which is easier than it should be. Other options include owning a ColdFusion server or finding a Tomcat Manager server or other admin console with weak or default credentials.
Bust Open the Jewelry Cases
After gaining administrative access to a machine, dump the password hashes and crack them; Ophcrack or rcracki_mt are particularly good at cracking LM hashes. Typically, the local administrator password is shared among machines throughout the internal network.
Another option is to migrate into a process that is running as a domain administrative user. There may be a service set to run under a domain admin account or the user on the box may have domain administrative privileges. If I get domain admin privileges this way I like to create my own domain admin account using
net user username password /ADD /DOMAIN and
net group "Domain Admins" username /ADD /DOMAIN. Make sure to remove the account when finished using
net user username /DELETE /DOMAIN.
Stuff the Bags
After gaining administrative access to multiple machines, mount Windows shares on as many boxes as possible and look for sensitive data. Focus particularly on the data that makes the client money.
That is the basic smash and grab method I use on a regular basis. Feel free to share your smash and grab strategy as well.